The attacker installed a second antivirus to crash your first one
CVE-2024-38094 is a 7.2. It requires authentication. Most teams filed it below the criticals. It was still the entry point for a two-week, full-domain compromise, and the cleanup tactic was installing rogue antivirus to make the real EDR fall over.
In the SharePoint intrusion Rapid7’s IR team documented, the part worth remembering isn’t the initial exploit. It’s what the attacker did to the defenders. They installed Huorong, a legitimate Chinese antivirus product, onto a compromised host. Not malware. A real AV engine. The point was the resource conflict: two antivirus products fighting over the same hooks and files drove the machine into a state where the environment’s actual security tooling crashed and stopped reporting. They didn’t disable your EDR. They gave it a roommate it couldn’t live with.
The way in was CVE-2024-38094, a SharePoint deserialization bug rated CVSS 7.2. That score is the reason this is worth writing about.
A 7.2 is not a “later” ticket
CVE-2024-38094 is a deserialization-of-untrusted-data flaw (CWE-502) in on-premise SharePoint Server. Microsoft patched it in the July 2024 update cycle, and it affects SharePoint Server 2019, SharePoint Server Subscription Edition, and SharePoint Enterprise Server 2016. The CVSS vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The number lands at 7.2 instead of in the nines for one reason: PR:H, privileges required is high. An attacker has to be authenticated, with Site Owner permissions, before the bug fires.
That single attribute is what got this CVE triaged below the headline criticals in a lot of shops. The reasoning goes: it needs authentication, so it’s a post-compromise problem, so it can wait for the regular maintenance window. The reasoning is wrong, and it’s wrong in a specific, predictable way.
Site Owner is not domain admin. On a mature SharePoint deployment, plenty of ordinary users hold owner rights on a site collection, because that’s how SharePoint is meant to be delegated. Add a single phished or reused credential with that level of access, and PR:H is satisfied. From there, the bug turns an authenticated low-trust user into code execution on the SharePoint server itself. CVSS measures the bug. It does not measure how common the precondition is in your environment, and in this case the precondition is “a user with Site Owner rights,” which is not a high bar.
What the exploitation actually looked like
CISA added CVE-2024-38094 to the Known Exploited Vulnerabilities catalog on October 22, 2024 with a remediation deadline of November 12 and the ransomware-use flag set. By then a public proof-of-concept was circulating, which is what turned a theoretical authenticated RCE into a commodity initial-access technique.
In the Rapid7 case, the attacker used the SharePoint server as the front door and then settled in. They dropped a web shell named ghostfile93.aspx, which generated a recognizable burst of HTTP POST requests from a single external IP tied to the exploit string. Over roughly two weeks of dwell time, they used Impacket and Mimikatz to harvest credentials and move laterally, eventually landing on a Microsoft Exchange service account that held domain administrator rights. That account was the pivot from “a compromised SharePoint box” to “the whole Active Directory domain.” They also went after the backups, which is the move that turns an intrusion into a leverage problem.
The rogue-antivirus trick sits in the middle of that chain. It’s a defense-impairment technique that doesn’t require killing a single process by name or tripping the tamper-protection that modern EDR uses to stop exactly that. Installing a conflicting AV is, on paper, a normal administrative action. The crash that follows looks like an instability problem, not an attack, which buys the intruder quiet time while your detection coverage is dark.
What to do
If you run on-premise SharePoint, the work splits into patch, hunt, and harden.
- Patch, and confirm the build. The fix shipped in July 2024. If your SharePoint farm is on a build older than that cycle, you are exposed to a KEV-listed, ransomware-associated, publicly-PoC’d RCE. SharePoint patching has its own sequencing (binaries, then the configuration wizard across the farm), so verify the patch actually completed on every server, not just that the installer ran. A half-applied SharePoint update is a known way to think you’re patched when you aren’t.
- Hunt for the entry indicators. Look for unexpected
.aspxfiles in SharePoint web directories, web shells served from_layoutsor site directories, and clusters of POST requests from a single external IP against SharePoint endpoints.ghostfile93.aspxwas one campaign’s filename, not a signature, so hunt the pattern, not the string. - Treat unexplained EDR crashes as a finding. This is the durable lesson. If your endpoint protection on a server “just crashed” or stopped reporting, and especially if a second security or antivirus product appeared on that host that nobody in your team installed, that is potential defense impairment, not a flaky agent. Alert on new AV/security-product installs on servers, and make sure your EDR telemetry being absent generates an alert on its own.
- Audit who holds Site Owner. The bug needs that privilege. The fewer accounts that have it, and the better those accounts are protected with MFA and monitoring, the smaller the population that can reach this class of SharePoint bug at all. This pays off well beyond one CVE.
The reframe is the part to carry into your next triage meeting. The CVSS score told you how hard the bug is to exploit in the abstract. It told you nothing about whether the precondition is sitting in your environment right now, or about what a competent intruder does in the two weeks after they’re through the door. A 7.2 that lands on an internet-reachable SharePoint server, with Site Owner rights that half your power users already hold, is a higher-priority ticket than its number suggests.
We read every KEV addition for exactly this gap, the one between the score a vulnerability gets and the access it actually grants, so the mid-rated bug that owns your domain doesn’t sit in the “later” pile until it’s an incident.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2024-38094 — 2024-07-09
- Microsoft MSRC: CVE-2024-38094 — 2024-07-09
- Rapid7: Investigating a SharePoint Compromise, IR Tales from the Field — 2024-10-30
- SecurityWeek: CISA warns recent Microsoft SharePoint RCE flaw exploited in attacks — 2024-10
- Help Net Security: Exploited Cisco, SharePoint, Chrome vulnerabilities — 2024-10-25
Share
Related field notes
-
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
Jenkins CVE-2024-23897: from 'limited file read' to your secret key
The KEV entry calls it 'limited read access to certain files.' On a Jenkins controller, the files include the cryptographic key that turns read into remote code execution. Here's how to check, patch, and what to rotate if you were exposed.
-
A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter
The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint. It was demoed at Pwn2Own in March 2023, patched mid-year, had a public PoC by late 2023, and hit the KEV list in early 2024. That timeline is something you can plan around.
One email, every weekday morning.
You're in. Check your inbox.